Welcome to SaaS thoughts

Whether you call it Software as a Service (SaaS), Managed Service Provider (MSP) or On-Demand Services, your organization uses the service running “in the cloud”. This blog will discuss these services, their benefits, drawbacks and operations. Are we biased? Yes. We believe that some services make sense for most organizations. Email security is one of those. However as Mark Twain said, “All generalizations are false, even this one.” Each Tuesday we will post information and questions about Software as a Service. Occasionally, we will have a "Guest Post" from either a consultant or vendor posting her/his thoughts on Managed Services generally as well as some degree of specificity based on her/his unique perspective. We encourage your insights, comments and feedback. Welcome.

While the “Future of SaaS” Survey had only been open for a few days, the trend of the responses to the question: Are There Any Concerns or Reluctance to Using Cloud-based Services? were clear. Even though the remaining options are getting votes, the top four answers are as we expected.

Security – Does anyone have unauthorized access to my data in the “cloud”? (57% of respondents)

Security

The security concern of using a cloud-based service (SaaS) is the same as of an on-premise service. The familiar model of servers in an on-premise data center gives a sense of security. Having the server or service somewhere “in the cloud” brings about a sense of uncertainty. You can’t point to anything meaningful. Of course, the same can be said of using a bank instead of stuffing money under the mattress. Both have a set of risks with which you need to be comfortable.

Security involves two main questions:

Does the cloud-based service hold data or just process it?

How can a user gain access to the data?

Data processors

An Email security service simply processes the email stream. They may hold spam in a queue awaiting someone to approve of messages deemed not to be spam. Past that, the email security services are not email repositories so, here is no data (beyond the spam queue) to see even it were possible to hack into it. There are logs of processing statistics but, there are no message content in those logs. The data is on your email server.

Web security services act as transparent proxies so, no data beyond logs are held by the proxy. Those logs usually show browser and bandwidth histories and may identify users’ specific browsing habits. These systems usually can be configured not to show user’s identity for greater privacy.

Data repositories

In contrast to the above, Hosted services such as email, business intelligence and CRM are data repositories and are of more concern. Unless you have arranged for the use of an entire real or virtual server, your data will be held on a multi-tenant server. All that means is that large capacious clusters of servers host your system along with other organizations. Just as your on-premise server farm can host multiple email post offices each with discrete sets of users, large multi-tenant server systems host multiple systems each for discrete sets of companies’ users.

Access to data

Studies on unauthorized access show that in the majority of cases, the unauthorized access was by someone inside the organization; someone who knew a login and password. The same problem will hold with a hosted service. To prevent someone outside your organization from gaining access, cloud-based systems strictly control the channels through which access can be made. Access to the data on a cloud-based server is via secure Internet connection (https) or a point-to-point VPN. Still, if users are not careful with logins and passwords, it doesn’t matter whether it is to an on-premise or cloud-based service.

A key to confidence in a SaaS data repository is confirming if the provider’s hosting and staff is SAS 70 Type II complaint. This covers all provider’s security, process, and hosting ability. It’s the highest level of audit done on hosted providers. It is unlikely that an organization’s on-premise could pass a SAS 70 Type II compliance audit.

Physical security of the data

Here is where most of first-time clients are surprised. Typically, cloud-based services are far more secure than all but the most extreme on-premise data center. They have to be since their reputation depends on security of your data. These are not some lashed-together servers in someone’s utility closet. Here’s an example of our hosted Microsoft Exchange 2010 system contrasted with typical on-premise conditions.

Our system consists of four clusters of servers throughout the US. Additional clusters are in the UK. Each cluster has the following security layers:

Putting in a massive cluster of redundant and replicating servers in such highly secure data centers is usually beyond the budget and need of most organizations. What a cloud-based system offers most organizations is secure, pay-as-you-use systems.